<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
    <title>ShellCheck: SC2223 – This default assignment may cause DoS due to globbing. Quote it.</title>
    <link rel="stylesheet" href="css/bootstrap.min.css" />
  </head>
  <body style="margin-left: auto; margin-right: auto; max-width: 800px">
    <h1>SC2223 – ShellCheck Wiki</h1>
    <a href="https://github.com/koalaman/shellcheck/wiki/SC2223">See this page on GitHub</a>
    <p style="display: none"><a href="index.html">Sitemap</a></p>
    <hr />
    <h2
id="this-default-assignment-may-cause-dos-due-to-globbing-quote-it">This
default assignment may cause DoS due to globbing. Quote it.</h2>
<h3 id="problematic-code">Problematic code:</h3>
<div class="sourceCode" id="cb1"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb1-1"><a href="SC2223.html#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="bu">:</span> <span class="va">${COLUMNS</span><span class="op">:=</span>80<span class="va">}</span></span></code></pre></div>
<h3 id="correct-code">Correct code:</h3>
<div class="sourceCode" id="cb2"><pre class="sourceCode sh"><code class="sourceCode bash"><span id="cb2-1"><a href="SC2223.html#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="bu">:</span> <span class="st">&quot;</span><span class="va">${COLUMNS</span><span class="op">:=</span>80<span class="va">}</span><span class="st">&quot;</span></span></code></pre></div>
<h3 id="rationale">Rationale:</h3>
<p>This statement is an idiomatic way of assigning a default value to an
environment variable. However, even though it's passed to <code>:</code>
which ignores arguments, it's better to quote it.</p>
<p>If <code>COLUMNS='/*/*/*/*/*/*'</code>, the unquoted, problematic
code may spend 30+ minutes trashing the disk as it unnecessarily tries
to glob expand the value.</p>
<p>The correct code uses double quotes to avoid glob expansion, and
therefore does not have this problem.</p>
<p>When quoting, make sure to update any inner quotes:</p>
<pre><code>: ${var:=&#39;foo&#39;}    # Assigns foo without quotes
: &quot;${var:=&#39;foo&#39;}&quot;  # Assigns &#39;foo&#39; with quotes</code></pre>
<h3 id="exceptions">Exceptions:</h3>
<p>None, though this issue is largely theoretical.</p>
    <hr />
    <p style='font-size: 80%'><a href="../index.html">ShellCheck</a> is a static analysis tool for shell scripts. This page is part of its documentation.</p>
  </body>
</html>


